If an IPv4 address market forms, it's probably not going to be a black one. Or …

Share this story

Obtaining IPv4 addresses has been getting more difficult in recent years, as ARIN and the four other Regional Internet Registries (RIRs) keep tightening their policies and procedures. So with the well running dry, where can an intrepid IP address user turn to get that IPv4 fix? The black market, of course. Economists have been predicting the emergence of a black market for IPv4 addresses for some time. Some industry experts say it's already here. We say, not so fast.

We're not scraping it just yet, but the bottom of the IPv4 address barrel is starting to show: of the 221 usable "/8" blocks of 16,777,216 IPv4 addresses, only 20 free ones remain in the IANA global pool. Address space equaling nearly 19 of those blocks is currently not yet used at the RIRs. For some time now, approximately one /8 block is being used up per month. So in the second half of next year, the IANA global pool will run dry, and less than two years after that, the RIRs will be cleaned out... that is, if nothing changes.

Getting addresses from the local RIR is basically free—even today. The procedures are tedious and you only get as much as you can show you're actually going to use, but even if you get the smallest possible block (a /24 or 256 addresses) you barely pay more than a thousand dollars in yearly registration costs; having a lawyer review the contract that you have to sign for all of this is probably more. And the costs per address go down as the number you hold increases. So obviously there is little reason to "buy" IP addresses on the black market today. That will, of course, change once the RIRs run out of IPv4 addresses. At that point, "investors" that bought up the assets of ISPs that went bankrupt may be sitting pretty, just like HP, which now has two /8 blocks to its name. That's right: HP has nearly one percent of all IPv4 addresses—it got block 15, and then it got block 16 after buying DEC.

Even if we assume the above imbalance of supply and demand, that doesn't necessarily create a black market. The whole idea of a black market is that the trading happens on the down-low. That's not going to happen with IP address trading as long as every computer comes with the traceroute command installed by default and Internet routing publicly exposes which addresses are used where. It only took me a minute to determine that in addition to the 15.0.0.0/8 and 16.0.0.0/8 blocks, HP is currently using another 30 (much smaller) blocks of IPv4 space.

But more importantly, the economics simply don't work. One percent of all the ARIN "members" use up 83 percent of the addresses given out in a year. So ARIN could still satisfy 99 percent of its customers with about half a /8 per year. And those will probably be happy to pay. However, with 3.7 billion addresses out there and only 33 million or so needed every year, the small-time address users won't create enough demand to create much of a market. Content suppliers need very few addresses.

The Comcasts, Softbanks, Frances, and Deutsche and British Telecoms of this world, on the other hand, now pay fractions of a penny per address per year. They use up many millions of addresses each year to connect new customers, and paying even $1 per address is going to be too expensive for them. Especially considering that the supply is going to be tighter every year, so the paying-for-addresses road leads them nowhere fast. It's much easier for the big ISPs to simply use the tens of millions of addresses they already have more efficiently: rather than give each user an address, make five existing users share one address and the four that are thus freed up are deployed somewhere else. That will cost a pretty penny in "carrier grade NAT" equipment, but the prices of CGNs will only go down and address prices will only go up, if the large ISPs participate in such a market.

The prospect of having to cut dozens or even hundreds of individual deals for small block of address space doesn't make this any more attractive. Of course some large blocks are available at places like HP, but because those blocks are so large and have been in use for so long, it's likely that expensive audits are necessary before this address space can be released. HP would hate to see Jane X. Comcastuser fly through their firewalls because she has an old dec.com address.

In the meantime, ARIN has abandoned its earlier policy that addresses couldn't be traded, and has adopted an address transfer policy. This still requires that the receiving entity shows that they're going to use the addresses in accordance with ARIN's conservative policies about address entitlement, though. This, of course, further ensures that nobody is ever going to give back unused address space for free, as trading is now legal and potentially profitable after the IPv4 warehouses have been exhausted. But apparently the ARIN constituency found the correct administration of IP address use more important than toeing the "IP addresses are not property" line—a notion that has never been tested in court, as far as I know.

But what are address traders buying and selling? Addresses are just numbers—they're only useful when you get to use them on the Internet. For that, you need the cooperation of an ISP. ARIN and the other RIRs explicitly say that the addresses they give out may or may not be routable. The old rule of thumb was always that the smallest acceptable block is a /24 (256 addresses). Then, in the late 1990s, Sprint decided that—with some exceptions—they would only accept /18s (16384 addresses) and larger blocks. So overnight, holders of smaller blocks were left out in the cold—their addresses were no longer reachable for Sprint customers. It's the network operator community that decides what's acceptable use for IP addresses—the administration efforts by the RIRs notwithstanding.

It's not unheard of for ISPs to provide connectivity to addresses that aren't "owned" by their users. A common case is one where an end-user organization doesn't have its own address block, but uses addresses from ISP A through both ISP A and ISP B. Usually, ISP B won't have a problem with that as long as ISP A doesn't have a problem with it. I wouldn't be surprised if, when the IPv4 address supplies have run out, people will simply usurp address space that appears to be unused. This includes much of the Department of Defense's address space, like 6.0.0.0/8. The first person to do this will probably have to pay their ISP handsomely to go along with this, but once a precedent is set, it will be open season on "dark" address space.

Share this story

Iljitsch van Beijnum
Iljitsch is a contributing writer at Ars Technica, where he contributes articles about network protocols as well as Apple topics. He is currently finishing his Ph.D work at the telematics department at Universidad Carlos III de Madrid (UC3M) in Spain. Emaililjitsch.vanbeijnum@arstechnica.com//Twitter@iljitsch